I would like to point out what security.tls.version.min actually
does:
http://kb.mozillazine.org/Security.tls.version.*
Setting security.tls.version.min to 1 allows TLSv1.0 to be used,
which is vulnerable to a similar padding oracle attack (and timing
oracle attacks) found long ago. You should be using a value of 2
for this setting.
-Brad
On 10/16/2014 10:28 AM, Marco Galicia
wrote:
Hi,
As I know, a new vulnerability called poodle has been
discovered regadirng https. This vulnerabilty takes
advantage of the ssl 3.0, and forcecs the https protocol
to use this outdated protocol.
I have been told that a fix for this vulnerabilty is to
disable the use of this protocol in the web browsers.
In inceweasel:
change this option in about:config
security.tls.version.min
to 1
shoulnd't iceweasel be recompiled to include this
option in the complilation settings??
Can it be done officially in debian??
Can this be done also for other web browsers??
If if is not possible to do ti officially??
How can i do it?? What would be the compilation
parameter, something like " /.config
--security.tls-version.min.1??
|